aboutsummaryrefslogtreecommitdiffstats
path: root/framework/src/audit/docs/audispd.conf.5
diff options
context:
space:
mode:
authorAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
committerAshlee Young <ashlee@wildernessvoice.com>2015-11-29 08:22:13 -0800
commitdf5afa4fcd9725380f94ca6476248d4cc24f889a (patch)
tree65456f62397305febf7f40778c5a413a35d094ef /framework/src/audit/docs/audispd.conf.5
parent76f6bf922552c00546e6e85ca471eab28f56986c (diff)
v2.4.4 audit sources
Change-Id: I9315a7408817db51edf084fb4d27fbb492785084 Signed-off-by: Ashlee Young <ashlee@wildernessvoice.com>
Diffstat (limited to 'framework/src/audit/docs/audispd.conf.5')
-rw-r--r--framework/src/audit/docs/audispd.conf.550
1 files changed, 50 insertions, 0 deletions
diff --git a/framework/src/audit/docs/audispd.conf.5 b/framework/src/audit/docs/audispd.conf.5
new file mode 100644
index 00000000..5955a8fe
--- /dev/null
+++ b/framework/src/audit/docs/audispd.conf.5
@@ -0,0 +1,50 @@
+.TH AUDISPD.CONF: "5" "March 2014" "Red Hat" "System Administration Utilities"
+.SH NAME
+audispd.conf \- the audit event dispatcher configuration file
+.SH DESCRIPTION
+\fBaudispd.conf\fP is the file that controls the configuration of the audit event dispatcher. Each line should contain one configuration keyword, an equal sign, and then followed by appropriate configuration information. All option names and values are case insensitive. The keywords recognized are listed and described below. Each line should be limited to 160 characters or the line will be skipped. You may add comments to the file by starting the line with a '#' character.
+
+.TP
+.I q_depth
+This is a numeric value that tells how big to make the internal queue of the audit event dispatcher. A bigger queue lets it handle a flood of events better, but could hold events that are not processed when the daemon is terminated. If you get messages in syslog about events getting dropped, increase this value. The default value is 80.
+.TP
+.I overflow_action
+This option determines how the daemon should react to overflowing its internal queue. When this happens, it means that more events are being received than it can get rid of. This error means that it is going to lose the current event its trying to dispatch. It has the following choices:
+.IR ignore ", " syslog ", " suspend ", " single ", and " halt ".
+If set to
+.IR ignore ,
+the audisp daemon does nothing.
+.I syslog
+means that it will issue a warning to syslog.
+.I suspend
+will cause the audisp daemon to stop processing events. The daemon will still be alive. The
+.I single
+option will cause the audisp daemon to put the computer system in single user mode.
+.I halt
+option will cause the audisp daemon to shutdown the computer system.
+.TP
+.I priority_boost
+This is a non-negative number that tells the audit event dispatcher how much of a priority boost it should take. This boost is in addition to the boost provided from the audit daemon. The default is 4. No change is 0.
+.TP
+.I max_restarts
+This is a non-negative number that tells the audit event dispatcher how many times it can try to restart a crashed plugin. The default is 10.
+.TP
+.I name_format
+This option controls how computer node names are inserted into the audit event stream. It has the following choices:
+.IR none ", " hostname ", " fqd ", " numeric ", and " user ".
+.IR None
+means that no computer name is inserted into the audit event.
+.IR hostname
+is the name returned by the gethostname syscall. The
+.IR fqd
+means that it takes the hostname and resolves it with dns for a fully qualified domain name of that machine.
+.IR Numeric
+is similar to fqd except it resolves the IP address of the machine.
+.IR User
+is an admin defined string from the name option. The default value is
+.IR none ".
+.TP
+.I name
+This is the admin defined string that identifies the machine if user is given as the name_format option.
+.SH "SEE ALSO"
+.BR audispd (8)